Schmidt: Cybersecurity a private affair

Howard Schmidt's career in defense, law enforcement and corporate security spans nearly 40 years and includes a stint as vice president, CISO and chief security strategist for online auction giant eBay. He most recently served as chief security strategist for the US CERT Partners Program for the National Cyber Security Division of the Department of Homeland Security (DHS). He also served President George W. Bush as vice chair of the President's Critical Infrastructure Protection Board and as special advisor for cybersecurity at the White House. He sits on a number of corporate boards and is an adjunct professor with Georgia Tech's Information Security Center. Schmidt recently released a new book, "Patrolling Cyberspace: Lessons Learned from a Lifetime in Data Security." In this Q&A, he talks about some of those lessons and about why the private sector has a bigger role to play than the government in defending cyberspace.

Your latest book is about the lessons you've learned in your career. What would you list as the top three lessons and why?
The first one is that as we advance in technology, criminals will continue to exploit the great benefits we get from the technology and turn it into something they can benefit from. The second is that the responsibility does not rely solely on the government or law enforcement to protect people from these criminals. We [the private sector] have a responsibility also. The third thing is that as we build new products, services, technology and hardware, they must be built by taking into consideration some of the things the bad guys might do with it. If you couple those three things, we could go a long way in reducing the size of the next book 20 years from now that looks back and says 'gee, we've come a long way and solved a lot of these problems.' You served for a time as a White House cybersecurity advisor, and as you are aware some have criticized the U.S. government for not doing enough to safeguard the nation's IT infrastructure. Is this fair criticism?
I don't think it's a fair criticism at all. In fact, I think it's quite the contrary. Going back to 1997, when we first had the President's Commission on Critical Infrastructure Protection, all the way up to the release of the National Strategy to Secure Cyberspace in 2003, the focus has been that industry owns and operates the vast majority of critical infrastructure and IT that we work in on a daily basis. Private industry must recognize there are interdependencies that they have to each other across various sectors and that we as a nation depend on them. It's not about the government telling industry how to run or secure their systems. Industry knows how to do that. In that respect I'm extremely pleased with what industry has done. Industry has put a lot of effort into developing products and services and dedicating certain personnel to work with the government. The awareness and execution in private industry is higher now than it's ever been in our history. What about the government's efforts to secure its own systems? There has been criticism that the government hasn't put enough effort into securing its own house separate from what's being done in private industry.
There's a tremendous challenge. If you compare resources and the amount of taxpayer dollars allocated to government agencies to what's being spent in the private sector there's a fairly good disparity. There's also disparity in what the government can pay people. I testified before Congress one time and was asked how we keep from losing talented people. My answer was that you just can't compete with private industry as far as benefits, salaries and things like that. What really incentivizes a lot of people is a good solid working environment that makes security personnel feel they are making a difference. Until the government agencies recognize the need to invest more in their people and technologies and realize they are susceptible to the same attacks as private industry, you will continue to see slow progress. There have been a number of efforts to engage government agencies to do a better job, but just creating reports [on government security] for the sake of creating reports isn't enough to get the job done.

More security newsmakers:

Q&A with RSA Security's Art Coviello: RSA helped create the security industry and we sat down with Art Coviello, now the president of the RSA Security division of EMC, to talk about the recent changes and what he expects to see in the coming years.

Who patches better: Microsoft or Mozilla? In this Q&A, Mozilla security chief Window Snyder credits Microsoft for working hard at a faster and more accurate patching process and admits that, sometimes, even Mozilla has to pull back on security updates at the 11th hour.

The Department of Homeland Security has restructured its cybersecurity division in the last year and a half. Do you think the department is moving in the right direction?
The people there now have a tremendous challenge and they're working very hard at it. Over time, as it goes through more reorganization, it will better adjust to the needs of the country. Keep in mind that the agency was set up in the aftermath of 9-11. The way we viewed homeland security at that time has changed in the last six years. As for what's been done, the most important one was to appoint an assistant secretary for cybersecurity and telecommunications. It raises the level of authority and visibility of that position in that department, which sends a clear message to the private sector that this is an important issue from the government's perspective. The second thing it does is it starts to bring that convergence of telecommunications and cybersecurity closer than ever before. You've been speaking out lately about the security challenges of VoIP. Do you think companies are adopting the technology far faster than their ability to properly secure it?
I think this is a case where one size doesn't fit all. I think it would be a challenge to say unilaterally that companies are or are not doing something. I think some companies are looking to enhance security as they deploy new technology such as VoIP. The good news is there are now companies focused specifically on VoIP security. But this falls in that category where as new technology is rolled out, we have to consider not only the great benefits we get from them, but also the risk that is out there. Those who recognize that are having a much easier job of it. In the big picture, do you think the good guys are winning the cybersecurity battle?
I don't think we're losing ground as we were at one point. There's more enforcement. More bad guys are being discovered, arrested and prosecuted. A wider net is being cast by industry. People are being better trained and industry is building better products. Microsoft, Oracle, Sun, IBM and HP have specifically focused on making things better.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.